Linux-了解安装名称空间&克隆CLONE_NEWNS标志 [英] Linux - understanding the mount namespace & clone CLONE_NEWNS flag
问题描述
我正在阅读安装& 克隆手册页.我想澄清一下CLONE_NEWNS如何影响子进程的文件系统视图.
I am reading the mount & clone man page. I want to clarify how CLONE_NEWNS effects the view of file system for the child process.
(文件层次结构)
让我们将此树视为目录层次结构.让我们说5& 6是父进程中的安装点.我在另一个问题中阐明了挂载点.
Lets consider this tree to be the directory hierarchy. Lets says 5 & 6 are mount points in the parent process. I clarified mount points in another question.
所以我的理解是:5& 6是挂载点,表示以前使用mount命令在5和5点挂载"文件系统(目录层次结构). 6(这意味着目录树也必须在5& 6下).
So my understanding is : 5 & 6 are mount points means that the mount command was used previously to 'mount' file systems (directory hierarchies) at 5 & 6 (which means there must be directory trees under 5 & 6 as well).
在mount手册页中:
A mount namespace is the set of filesystem mounts that are visible to a process.
在clone手册页中:
Every process lives in a mount namespace. The namespace of a process is the data
(the set of mounts) describing the file hierarchy as seen by that process. After
a fork(2) or clone() where the CLONE_NEWNS flag is not set, the child lives in the
same mount namespace as the parent.
也:
After a clone() where the CLONE_NEWNS flag is set, the cloned child is started in a
new mount namespace, initialized with a copy of the namespace of the parent.
现在,如果我将clone()与CLONE_NEWNS一起使用来创建子进程,这是否意味着子进程将获得树中安装点的精确副本(5和6),并且仍然能够访问其余的原始树?这是否还意味着孩子可以坐5& ;; 6,而不会影响其父进程的mount名称空间中5或6挂载的内容.
Now if I use clone() with CLONE_NEWNS to create a child process, does this mean that child will get an exact copy of the mount points in the tree (5 & 6) and still be able to access the rest of the original tree ? Does it also mean that the child could mount 5 & 6 at its will, without effecting what's mounted at 5 or 6 in its parent process's mount namespace.
如果是,这是否还意味着子进程可以装载/卸载不同于5或6的目录,并影响父进程可见的目录?
If yes, does it also mean that child could mount / unmount a different directory than 5 or 6 and effect what's visible to the parent process ?
谢谢.
推荐答案
进程的挂载名称空间"只是它看到的一组挂载文件系统.从拥有一个全局挂载名称空间的传统情况变为具有每个进程的挂载名称空间之后,您必须决定使用clone()创建子进程时该怎么做.
The "mount namespace" of a process is just the set of mounted filesystems that it sees. Once you go from the traditional situation of having one global mount namespace to having per-process mount namespaces, you must decide what to do when creating a child process with clone().
传统上,挂载或卸载文件系统会更改所有进程所看到的文件系统:所有进程都会看到一个全局挂载名称空间,并且如果进行了任何更改(例如,使用mount命令),则所有进程都会立即无论与mount命令的关系如何,都可以看到该更改.
Traditionally, mounting or unmounting a filesystem changed the filesystem as seen by all processes: there was one global mount namespace, seen by all processes, and if any change was made (e.g. using the mount command) all processes would immediately see that change irrespective of their relationship to the mount command.
有了按进程的安装命名空间,子进程现在可以具有与其父进程不同的安装命名空间.现在出现了一个问题:
With per-process mount namespaces, a child process can now have a different mount namespace to its parent. The question now arises:
子项对安装名称空间所做的更改是否应传播回父项?
很明显,至少必须支持此功能 ,实际上,它可能必须是默认功能.否则,启动mount命令本身不会产生任何变化(因为父外壳程序看到的文件系统将不受影响).
Clearly, this functionality must at least be supported and, indeed, must probably be the default. Otherwise, launching the mount command itself would effect no change (since the filesystem as seen by the parent shell would be unaffected).
同样清楚的是,也有必要抑制这种必要的传播,否则我们将永远无法创建其挂载名称空间不同于其父名称空间的子进程,而我们又拥有一个全局挂载名称空间(如init所示的文件系统).
Equally clearly, it must also be possible for this necessary propagation to be suppressed, otherwise we can never create a child process whose mount namespace differs from its parent, and we have one global mount namespace again (the filesystem as seen by init).
因此,我们必须确定在使用clone()创建子进程时,该子进程是否从父级获取有关已挂载文件系统的数据的副本,可以在不影响父级的情况下对其进行更改,或者获取指向该子进程的指针.可以更改与父级相同的数据结构(从外壳启动mount时,更改必须传播回去).
Thus, we must decide when creating a child process with clone() whether the child process gets its own copy of the data about mounted filesystems from the parent, which it can change without affecting the parent, or gets a pointer to the same data structures as the parent, which it can change (necessary for changes to propagate back, as when you launch mount from the shell).
如果将CLONE_NEWNS标志传递给clone(),则子级将获得其父级的已装入文件系统数据的副本,可以对其进行更改而不会影响父级的装入名称空间.否则,它将获得指向父级的装载数据结构的指针,父级可以在其中看到子级所做的更改(因此mount命令本身可以工作).
If the CLONE_NEWNS flag is passed to clone(), the child gets a copy of its parent's mounted filesystem data, which it can change without affecting the parent's mount namespace. Otherwise, it gets a pointer to the parent's mount data structures, where changes made by the child will be seen by the parent (so the mount command itself can work).
现在,如果我将克隆与CLONE_NEWNS一起使用来创建子进程,这是否意味着子进程将获得树中安装点的精确副本(5和6),并且仍然能够访问原始文件的其余部分树?
Now if I use clone with CLONE_NEWNS to create a child process, does this mean that child will get an exact copy of the mount points in the tree (5 & 6) and still be able to access the rest of the original tree ?
是的.调用clone()后,它会看到与其父树完全相同的树.
Yes. It sees the exact same tree as its parent after the call to clone().
这是否也意味着孩子可以坐5& ;; 6,而不会影响其父进程的mount名称空间中5或6挂载的内容.
Does it also mean that the child could mount 5 & 6 at its will, without effecting what's mounted at 5 or 6 in its parent process's mount namespace.
是的.由于您已经使用过CLONE_NEWNS,因此子代可以从5中卸载一个设备,然后在该子代中安装另一个设备,只有该设备(及其子代)可以看到更改.在这种情况下,没有其他进程可以看到孩子所做的更改.
Yes. Since you've used CLONE_NEWNS, the child can unmount one device from 5 and mount another device there, and only it (and its children) could see the changes. No other process can see the changes made by the child in this case.
如果是,这是否还意味着子进程可以装载/卸载不同于5或6的目录,并影响父进程可见的目录?
If yes, does it also mean that child could mount / unmount a different directory than 5 or 6 and effect what's visible to the parent process ?
不.如果您已使用CLONE_NEWNS,则在子级中所做的更改无法传播回父级.
No. If you've used CLONE_NEWNS, the changes made in the child cannot propagate back to the parent.
如果您没有使用过CLONE_NEWNS,则子级将收到一个指向与其父级相同的装载名称空间数据的指针,并且任何进程都可以看到该子级所做的任何更改共享那些数据结构,包括父结构. (使用fork()创建新子代时也是如此.)
If you haven't used CLONE_NEWNS, the child would have received a pointer to the same mount namespace data as its parent, and any changes made by the child would be seen by any process that shares those data structures, including the parent. (This is also the case when the new child is created using fork().)
这篇关于Linux-了解安装名称空间&克隆CLONE_NEWNS标志的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
